It’s the large data controllers—the companies responsible for safeguarding the data—who will drive enforcement by requiring that their data processors become compliant and cutting them off if they don’t, McGarr notes. Under GDPR, small companies not only face the financial stress of being compliant, but they will now find themselves competing with their peers for the business of large corporations based on how compliant they are. “Short term, this is a shocking competitive advantage,” said McGarr.
Aaron Tantleff, a cybersecurity expert at law firm Foley & Lardner, said: “Clearly, the drafters of the GDPR realized that by wielding such a large stick, they would be able to force companies into compliance out of fear.”
“Those who are thinking about misbehaving will find themselves with greater liability under the GDPR,” Tantleff said. “Despite the under-funded or under-resourced nature of the supervisory authorities, I do not see those entities letting companies skate by.”